package dk.gov.oio.saml.filter;

import dk.gov.oio.saml.model.NSISLevel;
import dk.gov.oio.saml.service.AuthnRequestService;
import dk.gov.oio.saml.service.OIOSAML3Service;
import dk.gov.oio.saml.session.AssertionWrapper;
import dk.gov.oio.saml.session.AssertionWrapperHolder;
import dk.gov.oio.saml.session.AuthnRequestWrapper;
import dk.gov.oio.saml.session.SessionHandler;
import dk.gov.oio.saml.util.AuditRequestUtil;
import dk.gov.oio.saml.util.Constants;
import dk.gov.oio.saml.util.InternalException;
import dk.gov.oio.saml.util.SamlHelper;
import dk.gov.oio.saml.util.StringUtil;
import java.io.IOException;
import java.util.Enumeration;
import java.util.HashMap;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.encoder.MessageEncodingException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.binding.encoding.impl.HTTPRedirectDeflateEncoder;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dk/gov/oio/saml/filter/AuthenticatedFilter.class */
public class AuthenticatedFilter implements Filter {
    private static final Logger log = LoggerFactory.getLogger(AuthenticatedFilter.class);
    private boolean isPassive;
    private boolean forceAuthn;
    private String attributeProfile;
    private NSISLevel requiredNsisLevel = NSISLevel.NONE;

    public void init(FilterConfig filterConfig) throws ServletException {
        HashMap<String, String> config = getConfig(filterConfig);
        String str = config.get(Constants.IS_PASSIVE);
        String str2 = config.get(Constants.FORCE_AUTHN);
        this.isPassive = str != null ? Boolean.parseBoolean(str) : false;
        this.forceAuthn = str2 != null ? Boolean.parseBoolean(str2) : false;
        if (this.isPassive && this.forceAuthn) {
            log.warn("IsPassive and forceAuthn Cannot both be true");
        }
        try {
            String str3 = config.get(Constants.REQUIRED_NSIS_LEVEL);
            if (str3 != null) {
                this.requiredNsisLevel = NSISLevel.valueOf(str3);
            }
        } catch (Exception e) {
            log.warn("Unknown required NSIS level in configuration: " + this.requiredNsisLevel);
        }
        this.attributeProfile = config.get(Constants.ATTRIBUTE_PROFILE);
        if (this.attributeProfile == null || Constants.ATTRIBUTE_PROFILE_PERSON.equals(this.attributeProfile) || Constants.ATTRIBUTE_PROFILE_PROFESSIONAL.equals(this.attributeProfile)) {
            return;
        }
        log.warn("AttributeProfile should be either null, https://data.gov.dk/eid/Person or https://data.gov.dk/eid/Professional");
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        log.debug("AuthenticatedFilter invoked by endpoint: '{}{}'", httpServletRequest.getContextPath(), httpServletRequest.getServletPath());
        try {
            OIOSAML3Service.getSessionCleanerService().startCleanerIfMissing(httpServletRequest.getSession());
            SessionHandler handler = OIOSAML3Service.getSessionHandlerFactory().getHandler();
            if (userNeedsAuthentication(httpServletRequest, handler, handler.getAssertion(httpServletRequest.getSession()))) {
                log.debug("Filter config: isPassive: {}, forceAuthn: {}", Boolean.valueOf(this.isPassive), Boolean.valueOf(this.forceAuthn));
                AuthnRequestService authnRequestService = AuthnRequestService.getInstance();
                String requestURI = httpServletRequest.getRequestURI();
                if (httpServletRequest.getQueryString() != null) {
                    requestURI = requestURI + "?" + httpServletRequest.getQueryString();
                }
                MessageContext<SAMLObject> createMessageWithAuthnRequest = authnRequestService.createMessageWithAuthnRequest(this.isPassive, this.forceAuthn, this.requiredNsisLevel, this.attributeProfile);
                OIOSAML3Service.getAuditService().auditLog(AuditRequestUtil.createBasicAuditBuilder(httpServletRequest, "BSA1", "AuthnRequest").withAuthnAttribute("AUTHN_REQUEST_ID", ((AuthnRequest) createMessageWithAuthnRequest.getMessage()).getID()).withAuthnAttribute("URL", requestURI));
                sendAuthnRequest(httpServletRequest, httpServletResponse, createMessageWithAuthnRequest, this.requiredNsisLevel, requestURI);
            } else {
                try {
                    putAssertionOnThreadLocal(httpServletRequest.getSession());
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                    removeAssertionFromThreadLocal();
                } catch (Throwable th) {
                    removeAssertionFromThreadLocal();
                    throw th;
                }
            }
        } catch (Exception e) {
            log.warn("Unexpected error in authentication filter", e);
            throw new ServletException(e);
        }
    }

    public void destroy() {
        OIOSAML3Service.getSessionCleanerService().stopCleaner();
        OIOSAML3Service.getSessionHandlerFactory().close();
    }

    private boolean userNeedsAuthentication(HttpServletRequest httpServletRequest, SessionHandler sessionHandler, AssertionWrapper assertionWrapper) {
        if (null == assertionWrapper || !sessionHandler.isAuthenticated(httpServletRequest.getSession())) {
            log.debug("Unauthenticated session, Required NSIS Level: {}", this.requiredNsisLevel);
            return true;
        }
        if (isAssuranceSufficient(this.requiredNsisLevel, assertionWrapper.getNsisLevel(), assertionWrapper.getAssuranceLevel())) {
            log.debug("Authenticated session, NSIS Level: {}", this.requiredNsisLevel);
            return false;
        }
        log.debug("Current NSIS Level on session: {}, Required NSIS Level: {}", assertionWrapper.getNsisLevel(), this.requiredNsisLevel);
        return true;
    }

    private boolean isAssuranceSufficient(NSISLevel nSISLevel, NSISLevel nSISLevel2, String str) {
        if (!OIOSAML3Service.getConfig().isAssuranceLevelAllowed() || str == null) {
            return nSISLevel.equalOrLesser(nSISLevel2);
        }
        try {
            return nSISLevel.getAssuranceLevel() <= Integer.valueOf(Integer.parseInt(str)).intValue();
        } catch (Exception e) {
            return false;
        }
    }

    private void removeAssertionFromThreadLocal() {
        AssertionWrapperHolder.clear();
    }

    private void putAssertionOnThreadLocal(HttpSession httpSession) throws InternalException {
        AssertionWrapper assertion = OIOSAML3Service.getSessionHandlerFactory().getHandler().getAssertion(httpSession);
        if (assertion == null) {
            log.warn("No assertion available on session");
            return;
        }
        AssertionWrapperHolder.set(assertion);
        if (log.isDebugEnabled()) {
            log.debug("Saved Wrapped Assertion to ThreadLocal");
        }
    }

    private void sendAuthnRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, MessageContext<SAMLObject> messageContext, NSISLevel nSISLevel, String str) throws InternalException {
        try {
            log.debug("AuthnRequest: {}", StringUtil.elementToString(SamlHelper.marshallObject((XMLObject) messageContext.getMessage())));
        } catch (MarshallingException e) {
            log.warn("Could not marshall AuthnRequest for logging purposes");
        }
        SessionHandler handler = OIOSAML3Service.getSessionHandlerFactory().getHandler();
        AuthnRequestWrapper authnRequestWrapper = new AuthnRequestWrapper((AuthnRequest) messageContext.getMessage(), this.requiredNsisLevel, str);
        handler.storeAuthnRequest(httpServletRequest.getSession(), authnRequestWrapper);
        log.info("Outgoing AuthnRequest - ID:'{}' Issuer:'{}' IssueInstant:'{}' Destination:'{}'", new Object[]{authnRequestWrapper.getId(), authnRequestWrapper.getIssuer(), authnRequestWrapper.getIssueInstant(), authnRequestWrapper.getDestination()});
        HTTPRedirectDeflateEncoder hTTPRedirectDeflateEncoder = new HTTPRedirectDeflateEncoder();
        hTTPRedirectDeflateEncoder.setMessageContext(messageContext);
        hTTPRedirectDeflateEncoder.setHttpServletResponse(httpServletResponse);
        try {
            OIOSAML3Service.getAuditService().auditLog(AuditRequestUtil.createBasicAuditBuilder(httpServletRequest, "BSA2", "SendAuthnRequest").withAuthnAttribute("AUTHN_REQUEST_ID", ((AuthnRequest) messageContext.getMessage()).getID()));
            hTTPRedirectDeflateEncoder.initialize();
            hTTPRedirectDeflateEncoder.encode();
        } catch (ComponentInitializationException | MessageEncodingException e2) {
            throw new InternalException("Failed sending AuthnRequest", e2);
        }
    }

    private HashMap<String, String> getConfig(FilterConfig filterConfig) {
        HashMap<String, String> hashMap = new HashMap<>();
        Enumeration initParameterNames = filterConfig.getInitParameterNames();
        while (initParameterNames.hasMoreElements()) {
            String str = (String) initParameterNames.nextElement();
            hashMap.put(str, filterConfig.getInitParameter(str));
        }
        return hashMap;
    }
}
